AI Security Review
scanned 3h ago · by lpm-firewall-aiThe postinstall hook obtains an opaque native payload and stores it in the package-local `vendor/` directory. The launcher executes that payload when the user runs `rein`. No source-confirmed credential harvesting, external configuration mutation, or exfiltration exists in the inspected JavaScript.
Static reason
One or more suspicious static signals were detected.
Trigger
npm installation triggers `postinstall`; invoking `rein` triggers execution of `vendor/rein`.
Impact
A compromised or substituted release asset can gain the privileges of the installing or CLI-running user.
Mechanism
remote native payload download, extraction, and later execution
Rationale
The reviewed JavaScript is a package-aligned installer/launcher, but it is an opaque remote native payload carrier whose integrity check trusts the same remote release source. That warrants a warning rather than a malicious block because no concrete malicious action is present in the inspected source.
Evidence
package.jsonscripts/postinstall.mjsbin/rein.jsREADME.mdvendor/rein-<platform>.tar.gzvendor/reinvendor/spawn-helpervendor/.rein-managed-by
Network endpoints1
github.com/rein-industries/rein/releases/download/v<version>
Decision evidence
public snapshotAI called this Suspicious at 90.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- `package.json` defines a `postinstall` hook.
- `scripts/postinstall.mjs` downloads a platform-native tarball during installation.
- Checksum data and executable archive come from the same GitHub release endpoint.
- `bin/rein.js` executes the downloaded `vendor/rein` binary on CLI use.
- The archive is unpacked and executables are chmodded in `vendor/`.
Evidence against
- Source writes only beneath the package's own `vendor/` directory.
- No source reads credentials, user files, agent configuration, or home directories.
- No shell interpolation, eval, or remote JavaScript execution is present.
- The download is version-pinned by default and has a SHA-256 consistency check.
- Lifecycle failures warn rather than abort installation.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
UrlStrings
NoLicense
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node scripts/postinstall.mjs
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = node scripts/postinstall.mjs
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgFindings
1 High3 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowUrl Strings
LowNo License